Archived - Audit Summary of the Audit of Information Technology Operations

December 2011

Table of Contents

• 1.0 About the Audit
  • 1.1 Information Management and Information Technology (IMIT) Branch Background
  • 1.2 Audit Objective
  • 1.3 Audit Scope
  • 1.4 Audit Methodology
  • 1.5 Statement of Assurance
• 2.0 Summary of Findings
  • 2.1 Service Availability Management
  • 2.2 Service Capacity Management
  • 2.3 Service Level Management
  • 2.4 Service/Help Desk Management
  • 2.5 Identified Strengths
  • 2.6 Conclusion

1.0 About the Audit

1.1 Information Management and Information Technology (IMIT) Branch Background

The Treasury Board's (TB) Policy Framework for Information and Technology provides the strategic context for the TB Policy on Information Management and the TB Directive on Management of Information Technology. The delivery of Information Technology (IT) services within the Canadian Food Inspection Agency (the CFIA or the Agency), at the time of this audit, was the responsibility of the Agency's Chief Information Officer, who reported to the Vice President, Finance, Administration and Information Technology Branch.

The Office of the Chief Information Officer (OCIO) was directly responsible for the management of Information and Technology to ensure the integrity, availability and confidentiality of the CFIA's information systems. The OCIO encompassed seven major groups/divisions that provide IMIT services across the Agency:

• Client Services;
• Systems Management;
• Business and Enterprise Services;
• Information Management;
• Information Technology Operations;
• Solutions Development; and,
• Planning, Reporting and Integrated Resource Management Division.

Effective April 1, 2011, CFIA created a new Information Management and Information Technology (IMIT) Branch to take over this responsibility. The IMIT Branch is responsible for information management and information technology leadership; development of IMIT strategic planning and operational work plans; and the provision of all IMIT services to Agency employees. This change in organizational structure does not impact the findings of this audit. However, the recent transfer of some of the key IMIT service components to the Shared Services Canada (SSC) Agency, a new Agency established August 4, 2011, impacts the full implementation of the audit recommendations by the CFIA. This report highlights the action taken, or committed to be taken by the CFIA. The CFIA will work with SSC to address the findings beyond what has already been done.

During the period under examination, CFIA shared its main data centre^Footnote 1 with Agriculture and Agri-Food Canada (AAFC). The AAFC / CFIA Data Centre's shared facilities were managed jointly by two Data Centre management groups within the CFIA and AAFC. In addition, the following IT services are provided by AAFC to CFIA: Internet, the Human Resources system (PeopleSoft), and financial systems. Telecommunications services, also provided by a third party, are contracted out through Public Works and Government Services Canada.

1.2 Audit Objective

The preliminary objective of this audit as approved in the 2010-13 Risk Based Audit Plan was to provide assurance to the President and Senior Management that operational controls supporting the discharge of OCIO's responsibilities are in compliance with the Treasury Board policies.

Based on the results of Control Self-assessment Checklists completed by the OCIO as part of the planning phase of the audit (see Audit Scope below), as well as consideration of a recent internal audit on IM/IT Governance (May, 2010), the Internal Audit Directorate (IAD) refined the preliminary audit objective as follows:

• To provide assurance that IT operational controls are in place to support the Chief Information Officer, CFIA who is responsible for ensuring the integrity, availability and confidentiality of the Agency's information systems.

1.3 Audit Scope

The IAD identified four key IT service delivery and support processes that could be distinguished from the scope of the IAD's previous IM/IT Governance audit, as follows:

• Service Availability Management;
• Service Capacity Management;
• Service Level Management; and,
• Service/Help Desk Management.

For these processes, the IAD identified a detailed list of IT operational controls for consideration in this audit. Control Self-assessment Checklists developed by the IAD were based on leading standards such as Information Technology Infrastructure Library (ITIL) and Control Objectives for Information and related Technology (COBIT).

OCIO management self-assessed their organization against the Control Self-assessment Checklists, providing feedback on whether controls were in place. The audit program focused on those controls indicated as being completely or partially in place. Controls indicated as not being in place were not included in the audit program. As a result of OCIO management indicating that sufficient controls related to service level agreements were not in place, this process was not included as part of the audit. The other service delivery and support processes also had some controls that OCIO management self-assessed as not being in place, and this was considered in conjunction with the audit findings within those service areas to ensure the observations within the audit report were comprehensive. The examination of the IT operational controls was undertaken for the period April 2010 to March 2011.

1.4 Audit Methodology

The approach and methodology used for this audit is consistent with the Treasury Board Policy on Internal Audit.

Audit criteria were developed based on the completion of the Control Self-assessment Checklists by OCIO management, as outlined above.

The audit program included the following audit procedures:

• Interviews with IT Operations staff;
• Review of relevant documentation, including policies, procedures, and previous assessments and reviews; and,
• Testing of identified IT operational controls.

The audit was conducted within the following timelines:

• Planning Phase: August 2010 to February 2011
• Conduct Phase: February 2011 to March 2011
• Reporting Phase: April 2011 to June 2011
• Table at Audit Committee: October 2011

The audit was conducted with assistance of external resources from Deloitte & Touche LLP.

1.5 Statement of Assurance

In my professional judgment as Chief Audit Executive, sufficient and appropriate audit procedures have been conducted and evidence gathered to support the accuracy of this report.

2.0 Summary of Findings

This section presents a summary of the findings from the audit of Information Technology Operations. Findings are based on the evidence and analysis from both our initial risk analysis and the detailed audit conduct.

2.1 Service Availability Management

Service Availability Management refers to the planning, organizing, directing, control and reporting of activities and processes that are associated with ensuring the ongoing availability of IT operation's services, required to meet the business requirements. There were a number of internal controls, tested in the audit, whose purpose is to ensure the continuous availability of the Agency's existing IT operations and to permit the early identification and resolution of incidents and problems. The findings related to these controls are described below:

Physical Security

Weaknesses were noted relating to access control and the physical security of the data centre. Areas of weaknesses with immediate impact were promptly addressed by the IMIT Branch.

IT Operation Risk and Security

The Certification and Accreditation (C&A) process documents the effectiveness of the security controls in a particular operational environment and includes recommendations for new controls to mitigate system vulnerabilities based upon management's authorisation and acceptance of documented risk levels for the system in a formal security accreditation decision.

The audit noted that Statements of Sensitivities have been completed for most of CFIA applications. A formal C&A process, while developed, had not been approved or implemented. Since the time of the audit, the IMIT Branch has an approved C&A process in place and a full suite of supporting documentation.

Roles and Responsibilities

Roles and responsibilities of Data Centre staff had not been formally documented. The audit also noted that a Service Delivery Process was only developed for Data Centre operations, but not applied to all IT Operations activities. A training strategy for Data Centre staff had not been defined. It is noted that staff will be transferred to SSC as part of the shared services consolidation. Since the time of the audit, the IT Operations roles and responsibilities have been formally defined.

Monitoring and logging related to IT Infrastructure

The audit found that an inventory of all IT Operations infrastructure assets is recorded and updated. However, infrastructure that supports applications that were identified as highest priority in the Business Continuity Plans had not been identified. Moreover, few formal policies and procedures are in existence to monitor CFIA infrastructure and equipment for preventive maintenance and other issues. Since the time of the audit the IMIT Branch has identified current critical business priorities, and developed the formal requirements to support the critical IT infrastructure assets. The IMIT Branch is currently working to confirm the formal requirements to support the appropriate level of logging and monitoring and enhancements.

Defined Backup and Storage Requirements

The audit found that a backup schedule exists, but business requirements for backup and storage have not been formally documented, or agreed upon between the IMIT Branch and system business owners. Current backup practices do not ensure disaster recovery processes consistent with the Business Continuity Plan. The IMIT Branch is currently working on a Data Rationalization and Backup Project which will deal with these issues. The expected date of completion of this project is March 2012.

2.2 Service Capacity Management

Service Capacity Management refers to the planning, organizing, directing, control and reporting of activities and processes that are associated with ensuring that sufficient IT infrastructure and resources are in place when required to meet the business needs of the CFIA. The internal controls tested in the audit were intended to help ensure adequate capacity of the Agency's IT operational assets and resources and to permit the early identification and resolution of shortfalls.

The audit found that the CFIA is tracking its IT infrastructure and its lifecycle characteristics. However the manual process does not permit the infrastructure team to produce timely reports. Since the time of the audit, the IMIT Branch has identified automated tools to track the inventory with an anticipated implementation date of March 2012.

The audit also noted that there is an infrastructure Evergreen Project currently under way. The project documentation indicated that as a result of the past inability to secure adequate capital funding for the life cycling of IT infrastructure, the current IT infrastructure is ageing with a significant risk of failing. Since the time of the audit, the Agency has approved replacement of the infrastructure related to back ups, which is scheduled to be completed by March 2012.

2.3 Service Level Management

Service Level Management is the defining, monitoring and management of the quality of service. The key performance indicators range from high level availability and usage statistics to specific transactional performance indicators. The related internal controls were not tested in the audit because the OCIO management indicated that sufficient controls related to Service Level Agreements were not in place.

The audit recommended that OCIO ensure that performance measures and the mechanisms for the service providers to have these reported and monitored, be defined in each service agreement. The audit also recommended that service agreement be regularly reviewed to ensure they are aligned and updated to current business objectives. Since the time of the audit the IMIT Branch indicated that they are now ensuring that the vendors comply with service agreements by reviewing statistics and metrics on a monthly basis.

2.4 Service/Help Desk Management

Service/Help Desk Management refers to the planning, organizing, directing, control and reporting of activities and processes that are associated with recording, prioritizing, tracking, escalating, resolving and closing of end-user incidents and problems associated with the provision of IT services to meet the business requirements of the CFIA. The internal controls tested in the audit were intended to help ensure the effective operation of the Agency's Service/Help Desk and to permit timely resolution of end-user incidents and problems.

The audit found that there are documented processes for the handling of calls and E mails, and there are a variety of tools for use by service desk staff. However, a comprehensive desk manual for service desk staff does not exist. Tickets are not closed regularly or updated with how the service request was resolved. Also, service standards have not been defined, nor is there any monitoring of performance or service request trends.

IMIT Branch has indicated that they have initiated a project that will provide the foundation work towards service standards. As part of this project, roles and responsibilities will be formalized and a desk manual is expected to be developed. A formal review process to ensure tickets are being closed will be implemented.

2.5 Identified Strengths

The following strengths were identified during the audit:

• Environmental Controls for Data Centre Operations were appropriate, monitored, and regularly tested.
• Statements of Sensitivity have been completed for most CFIA applications, and there is a plan to conduct Threat and Risk Assessments on those applications rated as most sensitive.
• IT Operations have begun to formalize their procedures and processes. For example, the draft Data Center Environment Server/Hardware Team Standards and Procedures and Phase 1 of the Service Delivery Process, have been developed.
• A Client Satisfaction Survey for the service desk was completed during February 2011 that indicated that almost 90% of those that used the service desk were satisfied with the service provided.

2.6 Conclusion

Many of the issues noted in the audit have been addressed. The CFIA will work with SSC to address the findings beyond what has already been done. IMIT Branch has recently developed a strategic path forward that aligns with the Government of Canada's direction provided in the Treasury Board's Policy Suite consisting of the Policy Framework for Information and Technology.